Recently an SMTP Smuggling attack on Postfix was published, as mentioned by the Postfix project:
Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>.
Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to postpone publication until after people had a chance to update their Postfix or other affected systems.
The net result: a presumably unintended zero-day attack was published because some people weren’t aware of the scope of the attack.
At this time it means an upstream fix by Postfix is needed to fully fix the security issue.
Zimbra will create a patch with updated configuration files and an updated version of Postfix as soon as possible, meanwhile we recommend to add:
To the bottom of all the following files:
/opt/zimbra/common/conf/main.cf /opt/zimbra/common/conf/main.cf.default /opt/zimbra/common/conf/main.cf.proto
Remove the already existing line that reads: smtpd_discard_ehlo_keywords = from /opt/zimbra/common/conf/main.cf.default
And then as the OS user zimbra restart the MTA:
The following line should already be set in the configuration files, but be sure to check if it is indeed present on your installation:
smtpd_data_restrictions = reject_unauth_pipelining